1. Field of the Invention
The present invention relates to the field of information security and more particularly the present invention relates to compliance auditing for information security and security incident investigation in an enterprise computing system.
2. Description of the Related Art
Information technologists constantly struggle to protect internal computing assets from harm. Threats generally are perceived as external threats including viruses, Trojan logic, spy-ware, and the like. These external attacks mainly are aimed to disrupt business and to cripple the ability of the network to function. In fact, in several high-profile reported instances, hackers have been able to hijack powerful computing servers from which large-scale attacks have been launched to have a global impact upon the Internet. Hence, information technologists have spent considerable sums arming themselves with technology designed to prevent external intrusions, starting at the perimeter to the global Internet.
Today, preventative measures, for instance firewall appliances, virtual private networks, anti-virus logic, intrusion detection systems and newer intrusion prevention technologies have become commonplace within network architectures. These technologies have proven their value in protecting computing assets from external threats. Perimeter based protection, however, has resulted in “tootsie roll” architecture in which hard shells have been formulated to protect computing assets from threats from the outside world, while the interior portion within perimeter can be characterized only as soft. In this regard, internally most computing networks lack policies for control and access of data and few tracking mechanisms exist to monitor user activities internally.
Recently, a disturbing trend has emerged which poses far greater a threat than typical external attacks. The trusted internal user now threatens the integrity of the enterprise by exercising malicious intent while accessing privileged, soft, internal portions of trusted systems enjoy minimal security at best according to the tootsie-roll paradigm. Yet, data manipulation by trusted users can be far more damaging than any external threat. Notably, malicious activity performed by internal users—for instance changes in access permissions—can be subtle and disguised as normal activity with few footprints to alert system administrators.
In the case of publicly traded companies, where sensitive data must be reported to investors in a coordinated, timely manner, the effects of a breach of data security can be devastating and can result in the criminal prosecution of the company. However, traditional security measures cannot protect the greatest asset of a company—its critical, financial, customer and proprietary data. Despite the existence of policies and procedures, there remains little protection from internal fraud through the use of enterprise computing assets.
Importantly, the need to control data and access to data in the enterprise has become of paramount consideration due to recent United States government mandates addressing the distribution and control of information in publicly traded companies. With legislation, such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, new regulatory environments have been created with respect to information security. Consequently, many organizations are struggling to extract the necessary information from increasingly complex information systems to ensure compliance.
In addition to the compliance component of various legislative initiatives, many organizations impose a requirement that information security policy and procedure breaches are thoroughly investigated. Given that all computing applications operate in an operating system environment such as a stand-alone operating system or a virtual machine, the operating system environment, if insecure, can become the weak link in the security chain. Notwithstanding, few, if any, operating systems today provide adequate tools for answering critical and, in many industries, legislatively mandated questions with regard to which users enjoy a particular level of access to a particular type data or resource in the enterprise.
Modern operating system environments utilize hierarchical structures for storing user and access permission data for an enterprise. Typically, information relating to user and access permissions can be accessed within the hierarchical structure through a directory mechanism. As with any scalable directory system, however, as the operating environments becomes large and globally distributed, the hierarchy can become embedded with deep objects, users, and groups nested in other object containers such as organizational units. Beyond a certain threshold, it can be difficult to extract meaningful security related information from the hierarchy. Accordingly, due in part to the growing web of interrelated objects and the trust relationships between those objects, questions such as who has effective administrator access to the operating environment or who can access a specific file can become nearly impossible for organizations to answer with available tools.
Furthermore, to aggravate matters, much of the information that is available and readily accessible within the hierarchy can be irrelevant, buried in the ‘noise’ of a rush of irrelevant data. Alternatively, the information can be considered important only within the context of a correlated data set. In other words, not only is the important data difficult to extract from today's operating systems, but also the important data often can be lost in a flood of uncorrelated and raw data. Unless an auditor or examiner explicitly seeks specific information indicative of interesting, anomalous events (such as a user in accounting which user suddenly gains administrator privileges due to a system compromise and privilege elevation attack) are often not noticed until it is too late or never at all.